The Advanced Blocks Pro plugin for WordPress, developed by essamamdani, suffers from a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-9074. This vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize and escape SVG file uploads, allowing authenticated users with Author-level access or higher to embed arbitrary JavaScript code within SVG files. When these SVG files are rendered in the context of a web page, the malicious scripts execute in the browsers of users who view the content, potentially compromising their session integrity and data confidentiality. The vulnerability affects all plugin versions up to and including 1.0.0. The CVSS v3.1 base score is 6.4, indicating a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (Author or above), no user interaction, and a scope change. The impact includes limited confidentiality and integrity loss but no availability impact. No patches or official fixes are currently linked, and no known exploits have been observed in the wild. This vulnerability highlights the risks of insufficient input validation in file upload functionalities within WordPress plugins, especially those handling SVG files, which can contain embedded scripts.

The primary impact of CVE-2024-9074 is the potential for attackers with Author-level access to inject persistent malicious scripts into WordPress sites using the Advanced Blocks Pro plugin. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or redirection to malicious sites. Since the vulnerability is stored and triggers upon SVG file access, any user viewing the infected content is at risk, including administrators and visitors. The compromise of user sessions or credentials can escalate to broader site control or data breaches. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory penalties if sensitive data is exposed. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but many WordPress sites have multiple authors, increasing the attack surface. The absence of availability impact means the site remains operational, potentially masking the ongoing exploitation. Given WordPress's widespread use globally, this vulnerability poses a significant risk to websites relying on this plugin for content management.

To mitigate CVE-2024-9074, organizations should first check for and apply any official patches or updates from the plugin developer once available. Until a patch is released, administrators should restrict Author-level privileges to trusted users only and audit existing user roles to minimize risk. Implementing Web Application Firewalls (WAF) with rules to detect and block malicious SVG uploads or script injections can provide interim protection. Disabling SVG uploads or converting SVGs to safer formats may reduce attack vectors. Additionally, site owners should enable Content Security Policy (CSP) headers to restrict script execution origins, limiting the impact of injected scripts. Regularly scanning the website for malicious content and monitoring user activity logs can help detect exploitation attempts early. Educating authors about the risks of uploading untrusted files and enforcing strong authentication mechanisms, such as multi-factor authentication (MFA), will further reduce the likelihood of account compromise. Finally, consider isolating or sandboxing SVG rendering if possible to contain potential script execution.